Solved: KV_MODE=xml not working but xmlkv is

willcwhite · ‎04-07-2020

I have an app on a deployment server that takes in XML data, this app includes a props.conf with KV_MODE=xml.
When I see the data in Splunk, no XML fields are being extracted, but when I add | xmlkv to the end of my query, it extracts all XML fields. Since KV_MODE is for search time extractions does that mean that I have to also put this props.conf on the SHC? Or is there another reason why it's not working?

Thanks in advance.

manjunathmeti · ‎04-07-2020

KV_MODE is search time attribute. This doesn't work in indexers. You need to add it in props.conf in search head(s).

KV_MODE = [none|auto|auto_escaped|multi|json|xml]
* Used for search-time field extractions only.
* Specifies the field/value extraction mode for the data.

View solution in original post

manjunathmeti · ‎04-07-2020

KV_MODE is search time attribute. This doesn't work in indexers. You need to add it in props.conf in search head(s).

KV_MODE = [none|auto|auto_escaped|multi|json|xml]
* Used for search-time field extractions only.
* Specifies the field/value extraction mode for the data.

KV_MODE=xml not working but xmlkv is

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation

KV_MODE=xml not working but xmlkv is

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey